Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise.
The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13.
“This is due to the Calculation Addon’s process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(),” Wordfence said.
“The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the ‘Complex Calculation’ feature.”
Successful exploitation of the vulnerability could allow unauthenticated bad actors to execute arbitrary PHP code on the server, permitting them to create rogue administrator accounts, deploy web shells, and open other ways to burrow deeper into the server and establish persistent footholds.
According to the WordPress security company, attackers have been observed exploiting the flaw starting April 13, 2026. More than 29,300 exploit attempts targeting the defect have been blocked to date. Of these, 16 attack attempts occurred in the last 24 hours. The most common payload involves attempts to create an administrator account named “diksimarina” (email address: [email protected]) on the compromised site.
These attack efforts have originated from the following IP addresses –
- 202.56.2.126
- 209.146.60.26
- 15.235.166.18
- 2402:1f00:8000:800::40db
- 185.78.165.153
Skimmer Attacks Exploit Stripe for C2
The disclosure comes as Sansec warned of multiple skimmer campaigns, including one that uses Stripe as a command-and-control (C2) server and a data exfiltration sink in a bid to exploit the reputation of the brand and slip past Content Security Policy rules and network filters.
“The attacker treats Stripe as free infrastructure, not a way to launder charges,” Sansec noted. “Stripe gives them a writable database for stolen cards and a code-hosting endpoint for the skimmer, both behind a domain that CSP rules and network filters trust by default.”
The campaign relies on Google Tag Manager (GTM) and Stripe domains – googletagmanager.com and api.stripe.com – which are both trusted implicitly by online stores, with the malicious code loaded from a GTM container and executed on every page that loads it.
On Magento and Adobe Commerce checkout pages, it extracts an obfuscated skimmer from a Stripe customer account‘s (“cus_TfFjAAZQNOYENR,” in this case) metadata field, and saves the financial information, billing and email…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
